In an ironic twist, an international law firm specializing in aiding companies affected by security incidents has found itself at the center of a cybersecurity crisis. Orrick, Herrington & Sutcliffe, based in San Francisco, recently disclosed that it suffered a cyberattack in March 2023, resulting in the exposure of sensitive health information belonging to over 637,000 data breach victims. The breach, initially downplayed, has escalated in magnitude and raised concerns about the security practices within law firms entrusted with handling such incidents.
Orrick, known for its role in managing regulatory requirements for companies facing security incidents, fell prey to hackers who infiltrated its network. The breach compromised the personal information and sensitive health data of clients affected by security incidents, for whom Orrick served as legal counsel. The stolen data includes names, dates of birth, postal addresses, email addresses, and government-issued identification numbers like Social Security, passport, driver’s license, and tax identification numbers.
Additionally, the exposed information encompasses medical treatment and diagnosis details, insurance claims data, online account credentials, and credit/debit card numbers. The affected individuals include those with vision plans from EyeMed Vision Care and dental plans from Delta Dental. Orrick also notified other entities, including MultiPlan, Beacon Health Options (now Carelon), and the U.S. Small Business Administration, of their compromised data.
The breach’s severity became more apparent as Orrick revised the number of affected individuals, which tripled from the initial disclosure. Despite the increase, Orrick stated it did not anticipate providing notifications for additional businesses. The firm, however, did not clarify the criteria used to reach this conclusion, leaving the circumstances surrounding the breach investigation unclear.
In the aftermath, Orrick issued data breach notification letters to affected individuals, expressing regret for the incident’s inconvenience. While Orrick did not divulge details about the initial network breach or whether a financial ransom was demanded, the incident prompted four class-action lawsuits accusing the firm of delayed disclosure. Orrick informed a San Francisco federal court in December that it had reached an agreement in principle to settle these lawsuits, emphasizing a commitment to ongoing efforts to protect client information.
Image credit: Unsplash
